Point-to-point OpenVPN

zorrua · November 15, 2019, 2:58pm

Hello,

I want to configure a point-to-point vpn with OpenVPN. Both routers has public IP and and reachable by dynamic DNS.

I installed "luci-app-openvpn" package and now I have a tab in the LuCI interface.

Anyone could help with a PtP configuration?

I will appreciate your help.

Regards.

trendy · November 15, 2019, 3:06pm

This is my config, adjust it to your needs.

config openvpn 'vps'
        option enabled '1'
        option dev 'tun0'
        option ifconfig '10.0.20.2 10.0.20.1'
        option port '1194'
        option dev_type 'tun'
        option secret '/etc/openvpn/vps.key'
        option mute_replay_warnings '1'
        option log '/tmp/openvpn_vps.log'
        option mute '3'
        option fast_io '1'
        option verb '1'
        list remote '252.252.252.252'
        option cipher 'AES-128-CBC'
        option compress 'lz4'
        option persist_tun '1'
        option persist_key '1'
        option keepalive '10 60'
        option ping_timer_rem '1'
        option status '/tmp/openvpn_vps-status.log'
        option ifconfig_noexec '1'
        option persist_remote_ip '1'
        option auth_nocache '1'
#       list route '0.0.0.0 128.0.0.0 10.0.20.1'
#       list route '128.0.0.0 128.0.0.0 10.0.20.1'

You'll need to create the symmetric secret key and install it on both ends.
openvpn --genkey --secret static.key

justme123 · November 15, 2019, 10:34pm

Would it be also possible to start more PtP instances in parallel ? Obviously, each with its own config file, shared key and tun interface + IP config (listening port) and ... regardless of LuCI accepting the configs or not.
I tried that under OpenWRT 15 and it didn't work, configuration went OK, but the openvpn (OpenWRT openvpn listening sessions) didn't want to accept the connections form outside. As far as I remember, I did some investigation, even with tcpdump, and learned that it was openvpn itself not handshaking / accepting the connection.

Ever since that failure I'm using a second system (usually a Raspberry Pi) with a full-fledged Linux distro to handle the multiple PtP VPNs and I consider it a pity, OpenWRT should handle such a scenario well.

mk24 · November 15, 2019, 11:54pm

OpenVPN is a client-server model. One end of a point to point link would be set up as a server and the other end the client. The same program binary can operate in either mode. A server needs to be able to accept incoming connections from the Internet, but the client does not.

You can have multiple clients connecting to one server. They can be able to communicate with each other by going to the server then back out, or this can be blocked.

Of course multiple instances of clients or servers can run by using different ports, with completely independent networking, but each instance needs several MB of RAM.

zorrua · November 16, 2019, 7:10am

Thanks trendy,

But I can not see the remote server address in your config.

I open 1194 udp port in both routers this way (/etc/config/firewall):

config rule
option name 'OpenVPN'
option src 'wan'
option proto 'udp'
option dest_port '1194'
option target 'ACCEPT'

I can not see the openvpn process running with "ps | grep openvpn"

I will continue searching.

Regards.

trendy · November 16, 2019, 5:24pm

list remote '252.252.252.252'

252.252.252.252 is fictional. You can use the dynamic dns name.
This is for the client side. On the server side I have this (Debian)

local 252.252.252.252
port 1198
proto udp
dev tun0
ifconfig 10.0.20.1 10.0.20.2
secret /etc/openvpn/vps.key
user nobody
group nogroup
daemon
compress lz4
cipher AES-128-CBC
keepalive 10 60
persist-tun
persist-key
ping-timer-rem
verb 3
log /tmp/ovpn.log
mute 3
explicit-exit-notify 1
fast-io